Merge pull request #37 from trussworks/rek_update_alpine_cntr

Rek update alpine cntr
trussworks · Jan 16, 2020 · e71ddcd · e71ddcd
2 parents ebb8b1d + 7dabc10
commit e71ddcd
Show file tree

Hide file tree

Showing 8 changed files with 235 additions and 61 deletions.
diff --git a/README.md b/README.md
@@ -5,10 +5,10 @@ Creates the following resources:
 * CloudWatch log group.
 * Security Groups for the ECS service.
 * ECS service.
-* Task definition using `golang:1.12.5-alpine` (see below).
+* Task definition using `golang:alpine` (see below).
 * Configurable associations with Network Load Balancers (NLB) and Application Load Balancers (ALB).
 
-We create an initial task definition using the `golang:1.12.5-alpine` image as a way
+We create an initial task definition using the `golang:alpine` image as a way
 to validate the initial infrastructure is working: visiting the site shows
 a simple Go hello world page. We expect deployments to manage the container
 definitions going forward, not Terraform.
@@ -76,15 +76,15 @@ module "app_ecs_service" {
 | assign\_public\_ip | Whether this instance should be accessible from the public internet. Default is false. | bool | `"false"` | no |
 | associate\_alb | Whether to associate an Application Load Balancer \(ALB\) with the ECS service. | bool | `"false"` | no |
 | associate\_nlb | Whether to associate a Network Load Balancer \(NLB\) with the ECS service. | bool | `"false"` | no |
-| cloudwatch\_alarm\_actions | The list of actions to take for cloudwatch alarms | list | `[]` | no |
+| cloudwatch\_alarm\_actions | The list of actions to take for cloudwatch alarms | list(string) | `[]` | no |
 | cloudwatch\_alarm\_cpu\_enable | Enable the CPU Utilization CloudWatch metric alarm | bool | `"true"` | no |
 | cloudwatch\_alarm\_cpu\_threshold | The CPU Utilization threshold for the CloudWatch metric alarm | string | `"80"` | no |
-| cloudwatch\_alarm\_mem\_enable | Enable the Memory Utilization CloudWatch metric alarm | string | `"true"` | no |
+| cloudwatch\_alarm\_mem\_enable | Enable the Memory Utilization CloudWatch metric alarm | bool | `"true"` | no |
 | cloudwatch\_alarm\_mem\_threshold | The Memory Utilization threshold for the CloudWatch metric alarm | string | `"80"` | no |
 | cloudwatch\_alarm\_name | Generic name used for CPU and Memory Cloudwatch Alarms | string | `""` | no |
-| container\_definitions | Container definitions provided as valid JSON document. Default uses golang:1.12.5-alpine running a simple hello world. | string | `""` | no |
+| container\_definitions | Container definitions provided as valid JSON document. Default uses golang:alpine running a simple hello world. | string | `""` | no |
 | container\_health\_check\_port | An additional port on which the container can receive a health check.  Zero means the container port can only receive a health check on the port set by the container\_port variable. | string | `"0"` | no |
-| container\_image | The image of the container. | string | `"golang:1.12.5-alpine"` | no |
+| container\_image | The image of the container. | string | `"golang:alpine"` | no |
 | container\_port | The port on which the container will receive traffic. | string | `"80"` | no |
 | ecr\_repo\_arns | The ARNs of the ECR repos.  By default, allows all repositories. | list(string) | `[ "*" ]` | no |
 | ecs\_cluster | ECS cluster object for this task. | object | n/a | yes |

diff --git a/examples/simple/main.tf b/examples/simple/main.tf
@@ -1,32 +1,53 @@
+locals {
+  environment        = "test"
+  container_protocol = "HTTP"
+  container_port     = "80"
+}
+
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 2"
+
+  name = var.test_name
+  cidr = "10.0.0.0/16"
+  azs  = var.vpc_azs
+
+  public_subnets = ["10.0.104.0/24", "10.0.105.0/24", "10.0.106.0/24"]
+}
 
 #
-# KMS Key
+# KMS
 #
+
 data "aws_caller_identity" "current" {}
-data "aws_region" "current" {}
 
 data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
   statement {
     sid    = "Enable IAM User Permissions"
     effect = "Allow"
+
     principals {
       type = "AWS"
       identifiers = [
         "arn:aws:iam::${data.aws_caller_identity.current.account_id}:root",
       ]
     }
+
     actions = [
       "kms:*",
     ]
     resources = ["*"]
   }
+
   statement {
     sid    = "Allow logs KMS access"
     effect = "Allow"
+
     principals {
       type        = "Service"
-      identifiers = ["logs.${data.aws_region.current.name}.amazonaws.com"]
+      identifiers = ["logs.${var.region}.amazonaws.com"]
     }
+
     actions = [
       "kms:Encrypt*",
       "kms:Decrypt*",
@@ -41,52 +62,44 @@ data "aws_iam_policy_document" "cloudwatch_logs_allow_kms" {
 resource "aws_kms_key" "main" {
   description         = "Key for ECS log encryption"
   enable_key_rotation = true
-  policy              = data.aws_iam_policy_document.cloudwatch_logs_allow_kms.json
-}
-
-#
-# ECS Service Module
-#
 
-module "app_ecs_service" {
-  source = "../../"
-
-  name        = var.ecs_service_name
-  environment = "test"
-
-  kms_key_id = aws_kms_key.main.arn
-
-  ecs_cluster    = aws_ecs_cluster.main
-  ecs_vpc_id     = aws_vpc.main.id
-  ecs_subnet_ids = [aws_subnet.main.id]
+  policy = data.aws_iam_policy_document.cloudwatch_logs_allow_kms.json
 }
 
 #
 # ECS Cluster
 #
 
 resource "aws_ecs_cluster" "main" {
-  name = var.ecs_service_name
+  name = var.test_name
 }
 
+module "ecs-service" {
+  source = "../../"
 
-#
-# VPC
-#
+  name        = var.test_name
+  environment = local.environment
 
-resource "aws_vpc" "main" {
-  cidr_block = "10.0.0.0/16"
+  ecs_cluster      = aws_ecs_cluster.main
+  ecs_subnet_ids   = module.vpc.public_subnets
+  ecs_vpc_id       = module.vpc.vpc_id
+  ecs_use_fargate  = true
+  assign_public_ip = true
 
-  tags = {
-    Automation = "Terraform"
-  }
+  kms_key_id = aws_kms_key.main.arn
 }
 
-resource "aws_subnet" "main" {
-  vpc_id     = "${aws_vpc.main.id}"
-  cidr_block = "10.0.1.0/24"
+#
+# SG adjustment
+#
 
-  tags = {
-    Automation = "Terraform"
-  }
+resource "aws_security_group_rule" "ecs_allow_http" {
+  description       = "Allow HTTP"
+  security_group_id = module.ecs-service.ecs_security_group_id
+
+  type        = "ingress"
+  from_port   = local.container_port
+  to_port     = local.container_port
+  protocol    = "tcp"
+  cidr_blocks = ["0.0.0.0/0"]
 }
diff --git a/examples/simple/variables.tf b/examples/simple/variables.tf
@@ -1,4 +1,11 @@
-variable "ecs_service_name" {
-  description = "The name of the ECS service."
-  type        = string
+variable "region" {
+  type = string
+}
+
+variable "test_name" {
+  type = string
+}
+
+variable "vpc_azs" {
+  type = list(string)
 }
diff --git a/go.mod b/go.mod
@@ -2,4 +2,8 @@ module github.com/trussworks/terraform-aws-ecs-service
 
 go 1.13
 
-require github.com/gruntwork-io/terratest v0.23.3
+require (
+	github.com/aws/aws-sdk-go v1.28.2
+	github.com/gruntwork-io/terratest v0.23.3
+	github.com/stretchr/testify v1.4.0
+)